Locking PDPA’s Floodgates: My Digital Lock Pte. Ltd. [2018] SGPDPC 3

In My Digital Lock Pte. Ltd. [2018] SGPDPC 3, the Complainant brought a complaint under the Personal Data Protection Act 2012 (“PDPA”) against a digital lock seller (the “Organisation”) for disclosing the Complainant’s personal data through a police report which was posted on Facebook. The Complainant was identified in the police report as allegedly harassing a staff of the Organisation. This was the Complainant’s third complaint against the Organisation.

Although the facts do appear to engage the PDPA regime, the Personal Data Protection Commission (“PDPC”) decided to exercise its discretion to discontinue investigations. The Commissioner found that the essence of the complaint was the publication of allegedly defamatory statements in the police report. Insofar as the issues touch on the Complainant’s expectations of privacy, this was already “protected by a framework of common law and statutory torts” (at [59]). The Commissioner was thus of the opinion that the complaint would have been better resolved through the judicial process, taking into account the history between the parties.

This decision is important as there are at least three (3) points that clarify the application of the PDPA:

1. An organisation may disclose personal data to defend itself from allegations made against it if it is reasonable and proportionate.

While the Commissioner did not have to decide on this issue, the Commissioner saw fit to reiterate this principle (see also Re M Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and Re Black Peony [2017] PDP Digest 218). It is thus fairly settled that there is no blanket prohibition against disclosure of personal data in responding to allegations. The key issue is whether the disclosure is proportionate and reasonable.

2. Not all disclosures of documents containing personal date will attract the PDPC’s enforcement jurisdiction.

The Commissioner drew a distinction between:

a. documents that are clearly about an individual;

b. documents that are not clearly about an individual but the information contained therein is “biographically significant”, that is, the information relates to the individual and not some other person, transaction, or event that the individual may have figured or have had an interest in (see Durant v Financial Services Authority [2003] EWCA Civ 1745 at [28]); and

While documents under categories a. and b. would fall under the PDPA regime, documents under category c. would likely not unless the content of the message conveys information about the individual.

In the present case, the Commissioner held that the disclosure of personal data in the police report was one that the PDPC will scrutinise under the PDPA. This is because the “disclosure of the Complainant’s identity was … one of the purposes of the report and since the allegation in the report was about the Complainant’s purportedly harassing conduct, the content of the report was therefore potentially of biographical significance” (at [20]).

Nevertheless, the Commissioner exercised its discretion not to do so in light of the background surrounding the complaint, which appeared to involve the publication of allegedly defamatory remarks.

3. The PDPC may not investigate complaints if the interest to be protected falls outside informational privacy.

The Commissioner spent a large portion of the decision discussing the intersection between the existing legal framework in Singapore that seeks to protect privacy (at [21] to [51]). These include:

1. Protection from Harassment Act (Cap. 256A) (“POHA”);

2. Breach of confidence;

3. Passing off;

4. Defamation; and

5. Malicious Falsehood.

The Commissioner was also cognizant of judicial developments in other common law jurisdictions like the tort of intrusion upon seclusion in New Zealand and Canada, the tort of misuse of private information in the UK, and the right of publicity in the US.

In present case, the Commissioner was of the opinion that the complaint fell within the ambit of the POHA (at [60]-[61]), and held that “it would be a mistake to distort [the PDPA] in order to address privacy issues that it was not meant to address” (at [51]).

Conclusion

This decision reminds us that the PDPA regime is not meant to unduly burden organisations. The application of the PDPA should be tempered with reasonableness, bearing in mind the purpose of the regime. That said, this decision also shows us that outside of the PDPA, there exists a growing web of legal causes of action relating to privacy that an organisation should be aware of.